Policies

Policies are containers that group authorization rules addressing a specific business domain. Examples:

Document Access Policy: rules governing access to documents
Financial Approval Policy: rules for expense and payment approvals
HR Data Policy: rules protecting employee personal information

A policy defines the scope of a coherent set of authorization rules and provides built-in verification tools.

Policy Attributes

Attribute	Description
Name	Name of the policy
Description	Business description
Status	`DRAFT`, `ACTIVE`, `ARCHIVED`
Default Effect	`PERMIT` or `DENY` — determines the default behavior when no rule applies

Creating a Policy

Navigate to the Policies page
Click New Policy
Fill in the name, description, and default effect
The policy is created in DRAFT status

Policy Detail Screen

The policy detail screen is organized into two zones:

Toolbar:

Config (gear icon): opens a dialog to configure the Entity Types (subjects and resources) associated with the policy
Versions (history icon): opens a dialog to manage versions (create, validate, publish)
Menu (⋮): actions such as Edit, Delete, etc.

Entity Type Configuration

Each policy references entity types (defined in your schema) that can be used in its rules. This configuration is done via the Config dialog:

Add or remove entity types (subjects and resources)
Rules within the policy can only reference entity types configured in the policy

Version Management

Versions capture a snapshot of your rules at a point in time for deployment:

Create a version: snapshot of all enforced rules
Validate a version: syntax and consistency verification
Publish a version: activation for enforcement in policy engines (OPA, AVP)

Versions are accessible via the Versions dialog in the toolbar.

Verify Panel

The Verify Panel is a collapsible panel on the right side of the screen. It allows you to verify and validate the policy in real time. It contains 4 tabs detailed below.

Tests Tab

Generates and executes test scenarios at the policy level (covering all rules).

Automatic generation: Big ACL generates test scenarios in Gherkin format (Given/When/Then) by analyzing the rules and the data model
Execution: click Run Tests to execute the scenarios
Results: aggregated display (total, passed, failed) + per-scenario detail in accordion

Processing cycle:

NONE → GENERATING → READY
READY → RUNNING → READY
* → ERROR

The interface automatically polls (every 3 seconds) during processing to display results in real time.

Impact Tab

Analyzes the impact of rule changes on existing authorization decisions.

Summary: number of broken, fixed, and unchanged decisions
Details: list of impacted tests, audit replay results
AI Insights: automatic impact analysis

Processing cycle:

NONE → ANALYZING → READY
READY → ANALYZING → READY
* → ERROR

Translations Tab

Generates Cedar and Rego code corresponding to the policy’s rules.

Available formats: Rego, Cedar Schema, Cedar Policies
Visualization: code with syntax highlighting
Actions: copy to clipboard, regenerate
Freshness: the translation can become STALE if rules have changed since the last generation. A Regenerate button forces re-translation.

Processing cycle:

NONE → TRANSLATING → READY
READY → STALE → TRANSLATING → READY
* → ERROR

Assistant Tab (AI)

The AI assistant analyzes the policy’s rules and suggests optimizations.

Objective: enter a goal in natural language (e.g., “simplify document access rules”)
Analysis: launch the analysis (asynchronous)
Proposals: list of typed proposals with checkboxes
- Proposal types: Merge (merge rules), Split (split a rule), Simplify (simplify), etc.
Apply: select the desired proposals and click Apply to implement them

Processing Status

Each policy maintains a processing state for its 3 asynchronous operations (tests, translation, impact). Visual badges in the interface indicate the current status. Automatic polling (3s) is triggered only when an operation is in progress.